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DIGITAL SIGNATURES ON A SMARTCARD 

This application is a continuation-in-part of Application 08/632,845. 

The present invention relates to methods and apparatus for generating digital 

signatures. 

5 It has become widely accepted to conduct transactions, such as financial 

transactions or exchange of documents, electronically. In order to verify the transaction, it is 
also well-known to "sign" the transaction digitally so that the authenticity of the transaction 
can be verified. The signature is performed according to a protocol that utilizes the message, 
i.e. the transaction, and a secret key associated with the party. The recipient can verify the 
10 signature using a public key of the signing party to recover the message and compare it with 
the transmitted message. Any attempt to tamper with the message or to use a key other than 
that of the signing party will result in an incompatibility between the sent message and that 

«P recovered from the signature or will fail to identify the party correctly and thereby lead to 

hi 

rejection of the transaction. 
*2 15 The signature must be performed such that the signing party's secret key 

H cannot be determined. To avoid the complexity of distributing secret keys, it is convenient to 

utilize a public key encryption scheme in the generation of the signature. Such capabilities 
~ are available where the transaction is conducted between parties having access to relatively 

y] large computing resources but it is equally important to facilitate such transactions at an 

J 20 individual level where more limited computing resources are available. 

Automated teller machines (ATMs) and credit cards are widely used for 
personal transactions and as their use expands, so the need to verify such transactions 
increases. Transaction cards, i.e. credit/debit cards or pass cards are now available with 
limited computing capacity (so-called "Smart Cards") but these do not have sufficient 
25 computing capacity to implement existing digital signature protocols in a commercially 
viable manner. 

As noted above, in order to generate a digital signature, it is necessary to 
utilize a public key encryption scheme. Most public key schemes are based on the Diffie 
Helman Public key protocol and a particularly popular implementation is that known as DSS. 
30 The DSS scheme utilizes the set of integers Zp where p is a large prime. For adequate 
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security, p must be in the order of 512 bits although the resultant signature may be reduced 
mod q, where q divides p-1, and may be in the order of 160 bits. 

The DSS protocol provides a signature composed of two components r, s. The 
protocol requires the selection of a secret random integer k referred to as the session key from 
the set of integers (0, 1, 2, . . . q-1), i.e. 

ke{0,l,2,...q-l}. 

The component r is then computed such that 
r = {p k mod p } mod q 
where P is a generator of q. 
The component s is computed as 

s = [ k" 1 (h(m)) + ar] mod q 
where m is the message to be transmitted, 
h(m) is a hash of that message, and 
a is the private key of the user. 

The signature associated with the message is then s,r which may be used to 
verify the origin of the message from the public key of the user. 

The value p k is computationally difficult for the DSS implementation as the 
exponentiation requires multiple multiplications mod p. This is beyond the capabilities of a 
"Smart Card" in a commercially acceptable time. Although the computation could be 
completed on the associated ATM, this would require the disclosure of the session key k to 
the ATM and therefore render the private key, a, vulnerable. 

It has been proposed to precompute p k and store sets of values of r and k on 
the card. The generation of the signature then only requires two 160 bit multiplications and 
signing can be completed within X A second for typical applications. However, the number of 
sets of values stored limits the number of uses of the card before either reloading or 
replacement is required. A problem that exists therefore is how to generate sufficient sets of 
values within the storage and/or computing capacity of the card. 
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One possibility is to use a smaller value of p but with the DSS scheme this 
will jeopardize the security of the transaction. 

An alternative encryption scheme that provides enhanced security at relatively 
small modulus is that utilizing elliptic curves in the finite field 2 m . A value of m in the order 
of 155 provides security comparable to a 512 bit modulus for DSS and therefore offers 
significant benefits in implementation. 

Diffie Helman Public Key encryption utilizes the properties of discrete logs so 
that even if a generator p and the exponentiation p k is known, the value of k cannot be 
determined. A similar property exists with elliptic curves where the addition of two points 
on a curve produces a third point on the curve. Similarly, multiplying any point on the curve 
by an integer k produces a further point on the curve. However, knowing the starting point 
and the end point does not reveal the value of the integer 'k' which may then be used as a 
session key for encryption. The value kP, where P is an initial known point, is therefore 
equivalent to the exponentiation p k . 

In order to perform a digital signature on an elliptic curve, it is necessary to 
have available the session key k and a value of kP referred to as a "session pair". Each 
signature utilizes a different session pair k and kP and although the representation of k and kP 
is relatively small compared with DSS implementations, the practical limits for "Smart 
Cards" are in the order of 32 signatures. This is not sufficient for commercial purposes. 

One solution for both DSS and elliptic curve implementations is to store pairs 
of signing elements k, kP and combine stored pairs to produce a new session pair. For an 
elliptic curve application, this would yield a possible 500 session pairs from an initial group 
of 32 stored signing elements. The possibilities would be more limited when using DSS 
because of the smaller group of signing elements that could be stored. 

In order to compute a new session pair, k and kP, from a pair of stored signing 
elements, it is necessary to add the values of k, e.g. k } + k 2 -» k and the values of k,P and k 2 P 
to give a new value kP. In an elliptic curve, the addition of two points to provide a third 
point is performed according to set formula such that the addition of a point k 2 P having 
coordinates (x,y) and a point k,P having coordinates (x 2 y 2 ) provides a point k 3 P whose x 
coordinate x 3 is given by: 
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x,©x, x,@x 2 

This computation may be significantly simplified using the normal basis 
5 representation in a field F2 m , as set out more fully in our PCT Application Serial No. PCT 
/CA/300452, the contents of which are incorporated herein by reference. However, even 
■ using such advantageous techniques, it is still necessary to utilize a finite field multiplier and 
provide sufficient space for code to perform the computation. This is not feasible within the 
practical limits of available "Smart" cards. 
0 As noted above, the ATM used in association with the card has sufficient 

computing power to perform the computation but the transfer of the coordinates of k,P and 
kJP from the card to the terminal would jeopardize the integrity of subsequent disital 
signatures as two of the stored signing elements would be known. 

It is therefore an object of the present invention to obviaie or mitigate the 
5 above disadvantages and facilitate the preparation of additional pairs of values from a 
previously stored set. 

In general terms, one aspect of the present invention proposes to compute on 
one computing device an initial step in the computation of a coordinate of a point derived 
from a pair of points to inhibit recognition of the individual components, transfer such 
information to another computing device remote from said one device, perform at least such 
additional steps in said derivation at such other device to permit the completion of the 
derivation at said one device and transfer the result thereof to said one computing device. 

Preferably, the initial step involves a simple field operation on the two sets of 
coordinates which provides information required in the subsequent steps of the derivation. 

Preferably also the additional steps performed at the other device complete the 

derivation. 

In a preferred embodiment, the initial step involves the addition of the x 
coordinates and the addition y coordinates to provide the terms (x,©Xj) and (y^Vj). 

The addition of the coordinates is an XOR operation that can readily be 
performed on the card and the results provided to the terminal. - 



In this manner, the coordinates (x,y) representing kP in a stored signing 
element are not disclosed as insufficient information is provided even with subsequent uses 
of the card. Accordingly, the x coordinate of up to 500 signatures can be generated from an 
initial set of 32 stored signing elements. 

The new value of k can be computed on the card and to avoid computing the 
inverse k" 1 , alternative known masking techniques can be utilized. 

A further aspect of the present invention provides a method of generating 
additional sets of points from the initial set that may be used individually as a new value of 
kP or in combination to generate still further values of kP. 

According to this aspect of the invention, the curve is an anomalous curve and 
the Frobenius Operator is applied to at least one of the coordinates representing a point in the 
initial set to provide a coordinate of a further point on the elliptic curve. The Frobenius 
Operator 0 provides that for a point (x„y,) on an anomalous curve, then 0 (x,^) is a point 

(x, 2 ^ 2 ) that also lies on the curve. In general, 0 , (x 1 y 1 ) is a point x 2 ', y 2 ' that also lies on the 
curve. For a curve over the field 2 m , there are m Frobenius Operators so for each value of kP 
stored in the initial set, m values of kP may be generated, referred to as "derived" values. 
The new value of k associated with each point can be derived from the initial relationship 
between P and 0P and the initial value of k. 

For a practical implementation where 32 pairs of signing elements are initially 
retained on the card and the curve is over the field 2 155 , utilizing the Frobenius Operator 
provides in the order of 4960 possible derived values and by combining pairs of such derived 
values as above in the order of 10 7 values of kP can be obtained from the initial 32 stored 
signing elements and the corresponding values of k obtained to provide 10 7 session pairs. 

Preferably, the stored values of kP are in a normal basis representation. The 
application Frobenius Operator then simply requires an "i" fold cyclic shift to obtain the 
value for an 0 1 operation. 

According to a further aspect of the invention, there is provided a method of 
generating signature components for use in a digital signature scheme, said signature 
components including private information and a public key derived from said private 
information, said method comprising the steps of storing private information and related 
public key as an element in a set of such information, cycling in a deterministic but 



unpredictable fashion through said set to select at least one element of said set without 
repetition and utilizing said one element to derive a signature component in said digital 
signature scheme. 

Embodiments of the invention will now be described by way of example only 
with reference to the accompanying drawings, in which 

Figure 1 is a schematic representation of a programmable credit card; 

Figure 2 is a schematic representation of a transaction performed between the 
card and network; 

Figure 3 is a schematic representation of the derivation of a session pair from 
a pair of stored signing elements; 

Figure 4 is a schematic representation of one step in the transmission of 
information shown in Figure 2; 

Figure 5 is a schematic representation of a preferred implementation of the 
derivation of a session pair from two pairs of stored values; and 

Figure 6 is a schematic representation of a selection unit shown in Figure 1 . 

Figure 7 is a schematic representation of a further embodiment of the 
derivation of session pairs from stored values. 
The System 

Referring therefore to Figure 1, a programmable credit card 10 (referred to as 
a 'SMART' card) has an integrated circuit 12 embedded within the body of card 10. 

The integrated circuit includes a logic array 14, an addressable memory 16 
and a communication bus 18. The memory 16 includes a RAM section 20 to store 
information, a pair of cyclic shift registers 22 for temporary storage of information and 
programming code 24 for control of the logic array 14 and communication bus 18. The array 
14 includes an arithmetic unit 26 to provide modular arithmetic operation, e.g. additional and 
multiplication, and a selection unit 28 controlled by the programming code 24, It will be 
appreciated that the description of the card 10 is a schematic and restricted to that necessary 
for explanation of the preferred embodiment of the invention. 

The card 10 is used in conjunction with a terminal 30, for example an 
automated teller machine (ATM), that is connected to a network to allow financial 
transactions to be conducted. The terminal 30 includes a keypad 32 to select options and 



# # 



tasks and has computing capabilities to perform the necessary functions in conjunction with 
the card 10. 

Access to the terminal 30 is obtained by inserting card 10 into a reader 34 and 
entering a pass code in a conventional manner. The pass code is verified with the card 10 
through communication bus 18 and the terminal 30 activated. The keypad 32 is used to 
select a transaction, for example a transfer of funds, between accounts and generate a 
message through the network to give effect to the transactions, and card 10 is used to sign 
that transaction to indicate its authenticity. The signature and message are transmitted over 
the network to the intended recipient and upon receipt and verification, the transaction is 
completed. 

The Card 

The RAM section 20 of memory 16 includes digital data string representing a 
private key, a, which remains secret with the owner of the card and a corresponding public 
key Q = aP where P is the publicly known initial point on the selected curve. The RAM 
section 20 also includes a predetermined set of coordinates of points, kP, on an elliptic curve 
that has been preselected for use in a public key encryption scheme. It is preferred that the 
curve is over a finite field 2 m , conveniently, and by way of example only, 2 155 , and that the 
points kP are represented in normal basis representation. The selected curve should be an 
anomalous curve, e.g. a curve that satisfies y 2 + xy = x 3 + 1, and has an order, e. Each point 
kP has an x coordinate and a y coordinate and is thus represented as two 155 digital data 
strings that are stored in the RAM 20. By way of example, it will be assumed that the RAM 
20 contains 32 such points identified generically as kP and individually as koP, k,P . . . k 31 P. 
Similarly, their coordinates (x,y) will be individually designated x 0 y 0 ... x 31 y 31 . 

The points kP are precomputed from the chosen parameters of the curve and 
the coordinates of an originating point P. The k-fold addition of point P will provide a 
further point kP on the curve, represented by its coordinates (x,y) and the value of k cannot 
be determined even if the coordinates of points P and kP are known. 

RAM 20 therefore contains the values of k associated with the respective 
points kP so that a set of stored signing elements k,kP is available for use in the signing of 
the transaction. 




Signing 

To sign a message m generated by the transaction, one session pair kj; kjP is 
required and may be obtained from RAM 20 as set out more fully below. Assuming that 
values kj, kjP have been obtained, the signing protocol requires a signature r,s) where 

r is the data string representing the x-coordinate, Xj reduced mod q (q is 

a preselected publicly known divisor of e, the order of the curve, i.e. 
q/e x );and 

s = [k'^hOn)) + ar] mod q where h(m) is a q-bit hash of the message m 
generated by the transaction. 

In this signature, even though r is known, s contains the secret k and the 
private key, a, and so inhibits the extraction of either. 

The generation of s requires the inversion of the value k and since k is itself to 
be derived from the stored set of values of k, it is impractical to store corresponding inverted 
values of possible k's. Accordingly, a known masking technique is used to generate 
components r, s 1 and u of a signature. This is done by selecting an integer, c, and computing 
a value u = ck. The value s" 1 = c(h(m) + ar) mod q. 

The signature value s can then be obtained by the recipient computing sV 1 = 

k" 1 [h(m) + ar]. 

The signature (r,s ! ,u) can be computed on the card 10 and forwarded by bus 18 
to the terminal 30 for attachment to the message m. 

Generation of Session Pair 

As noted above, in order to generate the signature (r,s), it is necessary to have 
for session pair k and kP. Security dictates that each session pair is only used once and it is 
assumed that the number of signing elements stored in RAM 20 is insufficient for 
commercial application. 




In the preferred embodiment, two techniques are used to generate additional 
session pairs to the stored signing elements. It will be appreciated that each technique may 
be used individually although the combination of the two is preferred. 

5 (i) Frobenius Operator 

The first technique involves the use of the Frobenius Operator to derive 
additional session pairs from the stored signing elements and is shown in Figure 3. The 
Frobenius Operator denoted 0 operates on a point P having coordinates (x,y) on an 
anomalous elliptic curve in the finite field 2 m such that 0'P = (x^y 2 '). Moreover, the point 
10 0'P is also on the curve. In the field 2 155 , there are 155 Frobenius Operators so each point kP 
^ stored in memory 20 may generate 155 points on the curve by application of the Frobenius 

*0 Operators. Thus, for the 32 values of kP stored, there are 4960 possible values of kP 

jjj available by application of the Frobenius Operator. 

j! To derive the value of 0'P, it is simply necessary to load the x and y 

4S 1 5 coordinates of a point kP into respective shift registers 22 and perform an i-fold cyclic shift. 

Because the coordinates (x,y) have a normal basis representation, a cyclic shift in the register 
22 will perform a squaring operation, and an i-fold cyclic shift will raise the value to the 
power 2\ Therefore, after the application of i clock cycles, the registers 22 contain the 
coordinates of 0XkP) which is a point on the curve and may be used in the signing protocol. 
20 The 155 possible values of the coordinates (x,y) of 0'(kP) may be obtained by simple cyclic 
shifting. The representations in the registers 22 may then be used to obtain r. 

Where the use of Frobenius Operator provides sufficient values for 
commercial use, only one coordinate is needed to compute the value of r and so only a single 
shift register is needed. However, as will be described below, further session pairs can be 
25 derived if both the coordinates are known and so a pair of registers is provided. 

For each value of 0'(kP), it is necessary to obtain the corresponding value of k 
0(P) = ^P. X is a constant that may be evaluated ahead of time and the values of its first m 
powers, A, 1 computed. The m values are stored in RAM 20. 
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In general, 0XkP) ^kP so the value of k associated with 0 ] (kP) is A/k. 
Since k is stored for each value of kP in RAM 20 and X' is also stored, the new value of k, i.e. 
X% can be computed using the arithmetic unit 26. 

As an alternative, to facilitate efficient computation of X 1 and avoid excessive 
5 storage, it is possible to precompute specific powers of X and store them in RAM 20. 

Because m is 155 in the specific example, the possible values of i can be represented as an 
8-bit binary word. The values of X 2 -> X, 2? are thus stored in RAM 20 and the value of X 
represented in binary. The prestored values of X 2 * are then retrieved as necessary and 
multiplied mod e by arithmetic unit 26 to provide the value of X\ This is then multiplied by k 
10 to obtain the new value associated with 0 ! (kP). 

It will be seen therefore that new session pairs k, kP may be derived simply 
and efficiently from the stored signing elements of the initial set. These session pairs may be 
computed in real time, thereby obviating the need to increase storage capacity and their 
computation utilizes simple arithmetic operations that may be implemented in arithmetic unit 
15 26. 

(ii) Combining Pairs 

A further technique, illustrated schematically in Figure 4, to increase the 
number of session pairs of k and kP available, and thereby increase the number of signatures 
20 available from a card, is to combine pairs of stored signing elements to produce a new 

derived value. The addition of two points k,P and k 2 P will produce a third point k 3 P that also 
lies on the curve and may therefore be used for signatures. 

The addition of two points having coordinates (x 1 ,y 1 )(x 2 y 2 ) respectively on a 
curve produces a new point having an x coordinate x 3 where 

25 



y i ®y 2 z © Xi®Xi © x i® x : 

x 1 ffix 2 Xj©x 2 
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In the finite field 2m, yl©y2 and xl©x2 is an XOR field operation that may 
be performed simply in logic array 16. Thus the respective values of x, ,x 2 and y } ,y 2 are 
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placed in respective ones of registers 22 and XOR'd. The resultant data string is then passed 
over communication bus 16 to the terminal 30. The terminal 30 has sufficient computing 
capacity to perform the inversion, multiplication and summation to produce the value of x 3 . 
This is then returned to register 22 for signature. The potential disclosure of x 3 does not 
5 jeopardize the security of the signature as the relevant portion is disclosed in the transmission 
ofr. 

The value of k,+k 2 is obtained from the arithmetic unit 26 within logic array 
16 to provide a value of k 3 and hence a new session pair k 3 , k 3 P is available for signature. 

It will be appreciated that the value for y 3 has not been computed as the 
1 0 signing value r is derived from x 3 rather than both coordinates. 

It will be noted that the values of X! and x 2 or y, and y 2 are not transmitted to 
^ terminal 30 and provided a different pair of points is used for each signature, then the values 

*p of the coordinates remains undisclosed. 

m 

p At the same time, the arithmetic functions performed on the card are relatively 

*y 15 simple and those computationally more difficult are performed on the terminal 30. 

£^ Preferred Implementation of Generating Session Pairs 

frf The above technique may of course be used with pairs selected directly from 

in the stored signing elements or with the derived values obtained using the Frobenius Operator 

^ 20 as described above. Alternatively, the Frobenius Operator could be applied to the value of kP 

WET 

obtained from combining pairs of the stored signing elements to provide m possible values of 
each derived value. 

To ensure security and avoid duplication of session pairs, it is preferred that 
only one of the stored signing elements should have the Frobenius Operator applied, as in the 
25 preferred embodiment illustrated in Figure 5. 

In this arrangement, the coordinates x l5 yj of one of the stored signing elements 
is applied to the registers 22 and cyclically shifted i times to provide 0 1 k,P. 

The respective coordinates, x 01 ,y 01 , are XOR'd with the coordinates from 
another of the stored values k 2 P and the summed coordinates transmitted to ATM 30 for 
30 computation of the coordinate x 3 . This is retransmitted to the card 10 for computation of the 
value r. 
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The value of k, is processed by arithmetic unit 26 to provide ^ ! k and added to 
k 2 to provide the new value k 3 for generation of signature component s. In this embodiment, 
from an original set of 32 stored signing elements stored on card 10, it is possible to generate 
in the order of 10 7 session pairs. In practice, a limit of 10 6 is realistic. 

5 

Selection of Pairs Stored Signing Elements 

The above procedure requires a pair of stored signing elements to be used to 
generate each session pair. In order to preserve the integrity of the system, the same set 
cannot be used more than once and the pairs of stored values constituting the set must not be 
1 0 selected in a predictable manner. 

This selection function is performed by the selection unit 28 whose operation 
is shown schematically in Figure 6. 

•SS3J- 

=F Selection unit 28 includes a set of counters 40,42,44 whose outputs address 

Jp respective look up tables 46,48,50. The look up tables 46,48,50 map the successive outputs 

"~ 15 of the counters to pseudo random output values to provide unpredictability for the selection 

4 s3 

stored signing elements. 

The 32 stored values of k and kP are assigned nominal designations as 
elements in a set 52 ranging from -15 to +15 with one designated oo. To ensure that all 
available combinations of stored values are used without repetition, the nominal designations 
20 are grouped in 16 pairs in an ordered array 54 such that the difference (mod 3 1) in the 

assigned values of a pair uses all the numbers from 1 to 30. oo is grouped with 0. This array 
provides a first row of a notional matrix. 

Successive rows 54a,b,c,etc. of the notional matrix are developed by adding 1 
to each assigned designation of the preceding row until 15 rows are developed. In this way a 
25 matrix is developed without repetition of the designations in each cell. By convention oo + 1 

= CO. 

Counter 42 will have a full count after 15 increments and counter 40 will have 
a full count after 14 increments. Provided the full count values of counters 40,42 are 
relatively prime and the possible values of the counter 50 to select Frobenius Operator are 
30 relatively large, the output of counters 40,42,44 are mapped through the tables 46,48,50 
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respectively to provide values for row and column of the notional matrix and the order i of 
the Frobenius Operator to be applied. 

The output of counter 48 selects a column of the array 54 from which a 
designation associated with a starting pair can be ascertained. In the example of Figure 6, the 
5 output of counter 42 is mapped by table 48 to provide an output of 3, indicating that column 
3 of array 54 should be selected. Similarly, the output of counter 40 is mapped through table 
46 to provide a count of 3 indicating that values in row 3 of the matrix should be used. 

The assigned designations for a particular row are then obtained by adding the 
row value to the values of the starting pair. This gives a new pair of assigned designations 
10 that indicate the locations of elements in set 52. The signing elements are then retrieved from 
the set 52. 

One of those pairs of signing elements is then output to a shift register 22 and 
operated upon by the designated Frobenius Operator 0. The value of the Frobenius 
Operation is obtained from the output of table 50 which maps counter 44. The value 
15 obtained from table 5 sets the shift clock associated with register 22 so that the contents of 
the register 22 are cyclically shifted to the Frobenius value 0 indicated by the output of table 
50. 

Accordingly, a new value for kP is obtained. The associated value of k can be 
computed as described above with the arithmetic unit utilizing the output of table 50 to 
20 determine the new value of A,. Accordingly, a derived value is obtained. 

The derived value and signing element are then combined as described at (ii) 
above to provide a new session pair k, kP for use in the signing process. 

The use of the counters 40,42 provides input values for the respective tables so 
that the array 54 is accessed in a deterministic but unpredictable fashion. The grouping of the 
25 pairs in the array 54 ensures there is no repetition in the selected elements to maintain the 
integrity of the signature scheme. 

Counter 44 operates upon one of the selected pairs to modify it so that a 
different pair of values is presented for combination on each use, even though multiple access 
may be made to the array 54. 



The counters 40,42,44 may also be utilized to limit the use of the Smart Card 
if desired so that a forced expiry will occur after a certain number of uses. Given the large 
number of possible signatures, this facility may be desirable. 

Alternative structures to the look up tables 46,48,50 may be utilized, such as a 
linear feedback shift register, to achieve a mapped output if preferred. 

Further selection of the session pairs can be obtained by preprocessing of the 
contents of register 52 using one or more of the techniques shown in Figures 7, 8 or 9. 

In its simplest form, as shown in Figure 7, a source row 's' is selected and the 
session pair k s ,k s P read from the register. A function is applied to the session pair, which for 
example is the Frobenius operation as set out in Figure 3 to provide a new session pair X k s ; 
<f> x (k s P). A destination row, d, is then selected in the table 52 and the new session pair 
combined with the contents of that row to generate a new pair of values. The contents of the 
table 52 are thus updated and a selection of pairs may be made for the generation of a new 
session pair as described above. 

The preprocessing may be repeated a number of times with different source 
rows s, and destinations, d, so that a thorough mixing is obtained. The selection of source 
rows, s, and destinations, d, may be selected deterministically using the counters 40,42. 

Alternatively, where the card 10 does not have adequate computing power or a 
curve other than an anomalous curve is used, an alternative function may be applied to the 
selected row. For example, a sign may be applied to the selected row prior to accumulation 
of a destination. 

An alternative embodiment is shown in Figure 8 where multiple source rows 
s, . . ..s n are used and the selected session pairs combined. Typically two source rows are used 
but more than two can be combined if preferred. In this case the combining may proceed as 
shown in Figure 5 and the new value accumulated at the destination row, d, of the register. 
As the x coordinate of the combined point will identify one of the coordinates in the register 
52, it is preferred to perform the computation on the card where feasible. 

The selected session pairs may be modified prior to or subsequent to their addition by 
application of a second function, e.g. signing, (as shown in ghosted outline) to provide 
further security in the updating of the register 52. 



Where a random number generator is incorporated on the card 10, the above 
preprocessing may be used effectively in the production of the cards. Referring to Figure 9, 
an initial set of session pairs is injected into the register 52 of each card 10. A random 
number generator 60 is run for an initial period and its output used to select the source and 
destination rows of the register 52. The source row is accumulated with the destination now 
so that the session pair of the set are changed with each iteration. If preferred, a function 
such as a sign or a Frobenius operation may be applied to the selected session pair before 
accumulation. The mixing continues for a further period with the output of generator 60 
being used periodically to select each row. Once the register is considered thoroughly mixed, 
the session pairs may be selected and combined as described above for Figure 6. As the 
output of each generator 60 will vary from device to device, the sets of session pairs in each 
register 52 will also vary from device to device. Therefore the same initial table may be used 
but different session pairs will be generated. 

In summary, therefore, pairs of signing elements from an initial set of stored 
values can be selected in a deterministic and unpredictable manner and one of those elements 
operated upon by the Frobenius Operator to provide additional values for the elements. The 
elements may then be combined to obtain a new session pair with a portion of the 
computation being performed off card but without disclosing the value of the elements. 
Accordingly, an extended group of session pairs is available for signing from a relatively 
small group of stored values. 



